Inactive Malware Continues To Remain Active After Being Deleted From PC

Qakbot/Pinkslipbot

The advanced technology and the current trends in the digital market are going hand in hand because to remain updated and stay in the modern world, and to remain secure in this digital world, there are certain privacy concerns. The privacy concerns, particular in the PC and laptops is crucial which are majorly used for the office and personal use, now the smartphones too are used for both, the compact of both the world. No matter how many antivirus software and firewalls you have installed and used in the device, there is no 100% protection from the malware, even though the software claims to give such result.

Recently, the McAfee security firm found out that there is one malware which remains alive or active even after being deleted from the PC. The Qakbot, the cyber security banker which is old fashioned, first detected in the year 2007 is more dangerous, even in the modern times. The other name for Qakbot is the Pinkslipbot ,the banking Trojan, is active since last ten years even though it has been deleted from the infected PC. According to the McAfee researchers, the Qakbot continues to get more fatal and uses the infected devices as the control servers. This banking Trojan continues to infect and perform the unethical activities after being deleted from the PC.

How Does It Affect?

Why are we so concern with the Qakbot and why we never shared this piece of information with you before? Well, the reason, we were not sure about the news and we wanted to make some research on it.

The Qakbot can steal the user’s financial credential data which are saved and used for the online transaction and this information can be tracked by the malware through the key-logger or by the man in the browser attacks.

The malware does not stop here; the Qakbot also download the deleterious programs through the back-door process.

Now the question arises, how does the malware infect other PC? The malware Qakbot controls 500,000 infected massive set of PCs which has the ability to steal more than half a million recorded data in a day. If by any means, you have attached the removable drivers to these infected PC, it becomes easy for the Qakbot to enter and steal saved data from your PC. We will explain you this in precise manner.

To spread through the affected PC, the Qakbot can spread through two ways- automatically and manual remote command, based on the C&C server. To activate the malware, the attacker launches the command 13 which is also known as NBSCAN. In order to infect the other machines-

The malware makes the use of infected machine’s credentials and the combinations of the same user’s login and domain credentials.

If by any means, the Qakbot fails to access the PC from the domain controller or the target machine, the chances are it will use the hardcoded username list.

To get the access to the network, the Qakbot malware makes use of the various username and password combinations and mainly they serve the weak and default password. Under three password schemes, the malware Qakbot attack is possible.

Reversed username is used as password. For e.g. username: ceat123; password: 321taec

In the dictionary attack style, the username is combined with the various hardcoded passwords list.

What kind of data does the Qakbot steal from the infected PC? Several financial data and credentials are obtained which are recorded by the malware- credit card names, social security numbers, digital certificates, online banking credentials, email and passwords, etc. Yet there are no proactive troubleshoot to kill the Qakbot and paralyse its ability to mutate on the permanent basis. In the recent times, apart from banking and commercial sectors, the attack of Qakbot was seen in the pharmaceutical and IT sector too. The Qakbot aims to target and focus on the US based enterprises, using the HTTP based control servers. For further updates on getting rid of the Qakbot from the PC, we will get back soon.